[tptacek]

To really sort of grok the context here, it's helpful to compare not RSA but "conventional" DH in Z/pZ --- so the fundamental key exchange algorithm is the same, and what you're doing is swapping in a different group.

Where this starts to get tricky is in understanding how dlog algorithms that are effective on multiplicative group Diffie Hellman --- notably index calculus --- are ineffective on elliptic curves.

We are way off the edge of my understanding of the theory here but the point I'd make is that the distinction between the two groups --- Z/pZ and a curve --- involves domain knowledge that you wouldn't get in a first course on abstract algebra.

[betterunix2]

Actually, index calculus attacks can be applied to certain elliptic curves; for example, supersingular curves. This is one of the reasons why we use standardized curve parameters that have been checked for known weaknesses.

There is also a really interesting class of curves for which the index calculus attack is exactly as hard the "direct" ECDLOG attacks (e.g. Pollard's rho). Those are the "pairing friendly" curves and there are a whole bunch of really interesting applications.